Getting paranoid about ssh-agent
Wednesday, 1. 09. 2010 – Category: vague
A colleague asked me about my SSH setup, which uses different SSH agents for each set of keys that I use (I tend to use a different keypair for each client I work with) and also makes ssh-agent confirm with me each time a key is used.
What’s the point of all that? Because it’s trivially easy to take over someone else’s SSH agent if you have root on a box they’re forwarding to:
$ ssh-add -l
1024 c7:ba:59:92:98:40:f4:53:75:e3:7f:03:fc:0e:3b:bd /Volumes/key/ssh/id_dsa-zomo-bbc (DSA)
$ sudo -i
# ls -ld /tmp/ssh-*
drwx------ 2 victim admins 4096 Aug 27 16:20 /tmp/ssh-bsKJhM8501
drwx------ 2 me admins 4096 Sep 1 09:25 /tmp/ssh-NpAJW14419
# SSH_AUTH_SOCK=/tmp/ssh-bsKJhM8501/agent.8501 ssh-add -l
1024 7a:0a:df:bb:ab:cd:af:e1:04:97:cd:05:34:8c:b4:68 /home/victim/.ssh/id_dsa (DSA)
By setting SSH_AUTH_SOCK to their agent’s forwarding socket you can gain use of their agent for onward logins. Laws may apply.
To mitigate this risk, I use a collection of scripts that do two things
-
Run different SSH agents for different keys, so that a compromised agent
has only limited use (eg: root on client A’s hosts can’t use it access
client B’s hosts). -
Require ssh-agent to prompt for confirmation before it uses a key, so that
a compromised agent stands less chance of being exploited (if I’m away or I decline the request then nothing happens).
They’re here: http://github.com/zomo/ssh-bits. No points for elegance, but they scratch the itch.
One Response to “Getting paranoid about ssh-agent”
Leave a Reply
Recent articles
- pf on OS X 10.7
(Wednesday, 14. 09. 2011 – 3 Comments) - Cyrus saslauthd and passwords containing quote marks
(Saturday, 11. 06. 2011 – No Comments) - Competing webserver workloads
(Thursday, 17. 02. 2011 – No Comments) - Timeouts and failing fast
(Sunday, 23. 01. 2011 – No Comments)
Archives
- September 2011
- June 2011
- February 2011
- January 2011
- October 2010
- September 2010
- February 2010
- September 2009
- August 2009
- January 2009
- September 2008
- August 2008
- July 2008
- May 2008
- April 2008
- February 2008
- January 2008
- November 2007
- October 2007
- September 2007
- August 2007
- December 2006
- November 2006
- August 2006
- June 2006
- May 2006
- March 2006
- February 2006
- January 2006
- December 2005
- November 2005
- October 2005
Meta
September 1st, 2010 at 4:30 pm
Nice.
I have a setup which automatically deletes the keys from my ssh agent a short time after my screensaver locks the screen, to make transitive attacks harder if my workstation is compromised when unattended. I have a script run by xautolock which wraps xlock, and forks a background shell which clears the ssh keys after a few minutes. (The delay makes it less annoying to return after a short break.) When xlock finishes (when the screen is unlocked) it runs ssh-add. There are a couple of files used as interlocks, so that it doesn’t prompt to re-add the keys if they haven’t been deleted, and it doesn’t delete the keys if the screen has already been unlocked.